Research, the Cloud, and the IRB: NEW OPPORTUNITIES :: NEW CHALLENGES Michael Zimmer, PhD Assistant Professor, School of Information Studies Director, Center for Information Policy Research University of Wisconsin-Milwaukee zimmerm@uwm.edu www.michaelzimmer.org • Anyone who has studied the history of technology knows that technological change is always a Faustian bargain • Technology giveth and technology taketh away, and not always in equal measure. • A new technology sometimes creates more than it destroys. Sometimes, it destroys more than it creates. But it is never one-sided. • 10/12/2012 Virginia IRB Consortium Conference Neil Postman 2 Agenda • What is Cloud Computing? • Opportunities for Use in Research • Ethical Dimensions • • • • Subject confidentiality & anonymity Data privacy & security Data ownership & stewardship Research integrity & authorship • Conceptual Gaps & Policy Vacuums • What can Researchers and IRBs do? 10/12/2012 Virginia IRB Consortium Conference 3 What is Cloud Computing? KEXINO (CC BY-NC-ND 2.0) http://www.flickr.com/photos/kexino/4202662815/ 10/12/2012 Virginia IRB Consortium Conference 4 What is Cloud Computing? • On-demand, network-based access to computing recourses • Features Location independent; supports increased mobility • Flexible, scalable, robust • On-demand performance; big data processing • Little (if any) local support or maintenance • 10/12/2012 Virginia IRB Consortium Conference 5 What is Cloud Computing? • Milestones • • • • • 1999 – Salesforce.com delivers enterprise services via the web 2002 – Amazon Web Services (storage, computation, human intelligence via the cloud) 2004 – Gmail reboots web-based email, follows with Google Docs 2006 – Amazon’s Elastic Compute Cloud (EC2) 2007 – IBM shifts focus to the cloud • Popularity As early as 2008, 69 percent of Americans were using webmail services, storing data online, or otherwise using software programs located on the web • By 2011, 80% of Fortune 500 companies use IBM cloud • 10/12/2012 Virginia IRB Consortium Conference 6 3 Layers of Cloud Computing http://en.wikipedia.org/wiki/File:Cloud_computing.svg (CC BY-SA 3.0) 10/12/2012 Virginia IRB Consortium Conference 7 Application Layer • “Software as a service” • Providing productivity applications via the Web; no local software needed 10/12/2012 Virginia IRB Consortium Conference 8 Platform Layer • “Platform as a service” • Providing application development platforms and operating systems via the Web • Can deploy applications without needing your own infrastructure or distribution channels 10/12/2012 Virginia IRB Consortium Conference 9 Infrastructure Layer • “Infrastructure as a service” • Provide computing infrastructure on demand • Outsourcing servers, storage, network equipment, processing power, data centers 10/12/2012 Virginia IRB Consortium Conference 10 Research Opportunities for Cloud Computing • Application layer • • Most common and easiest application of cloud Data gathering, storage, collaboration • Platform layer • Hosted apps for recruitment & surveys • Infrastructure layer • • Access to increased processing power for large-scale research projects Some non-traditional uses 10/12/2012 Virginia IRB Consortium Conference 11 Research Opportunities: Applications • Data gathering using web-based survey applications SurveyMonkey • Zoomerang • Qualtrics • • Typically used “in the wild”, sometimes institutionally-bound 10/12/2012 Virginia IRB Consortium Conference 12 Research Opportunities: Applications • Data storage & sharing using cloud-based applications Dropbox • Box.net • iCloud • • Communication & collaboration using cloudbased applications • • • Gmail, IM, Skype Google Docs, Office Live Wikis 10/12/2012 Virginia IRB Consortium Conference 13 Research Opportunities: Platforms • With skilled programmers, can build custom apps to deploy via cloud-based platforms Subject recruitment and screening apps on Facebook • Building and deploying test instruments within online gaming platforms • Monitoring and activity tracking apps on mobile device platforms • 10/12/2012 Virginia IRB Consortium Conference 14 Research Opportunities: Infrastructure • Leverage cloud-based computing infrastructures to handle resource-intensive processing tasks • • Clinical trial data storage & processing Sharing extremely large databases • Innovative, non-traditional use of cloud-based processing “resources” • • • ____@Home (distributed computing) Fold.It Amazon Mechanical Turk 10/12/2012 Virginia IRB Consortium Conference 15 Fold.It • Web-based puzzle video game to assist with protein folding research • Leverage millions of gamers to assist in data processing 10/12/2012 Virginia IRB Consortium Conference 16 Fold.It http://fold.it/ 10/12/2012 Virginia IRB Consortium Conference 17 Fold.It • Web-based puzzle video game to assist with protein folding research • Leverage millions of gamers to assist in data processing • Players produced an accurate 3D model of and AIDS-related enzyme in just 10 days • Researchers had been trying for 15 years 10/12/2012 Virginia IRB Consortium Conference 18 Amazon Mechanical Turk • Facilitates outsourcing of computational or other mundane tasks • Requesters post “Human Intelligence Tasks” offering minimal fees • Workers select tasks to complete for micropayments 10/12/2012 Virginia IRB Consortium Conference 19 Amazon Mechanical Turk 10/12/2012 Virginia IRB Consortium Conference 20 3 Layers of Cloud Computing http://en.wikipedia.org/wiki/File:Cloud_computing.svg (CC BY-SA 3.0) 10/12/2012 Virginia IRB Consortium Conference 21 Ethical Dimensions • Subject confidentiality & anonymity • Data privacy & security • Data ownership & stewardship • Research integrity & authorship 10/12/2012 Virginia IRB Consortium Conference 22 Subject Confidentiality & Anonymity • When recruiting subjects or collecting data with cloud-based applications… • • • Are IP addresses logged in such a way to allow reidentification of subjects Using a Facebook app might provide researchers access to unnecessary personal information Are cloud providers tracking data and usage themselves? Delivering ads? Selling user data? 10/12/2012 Virginia IRB Consortium Conference 23 Data Privacy & Security • Critical concern of any cloud system, takes on even more importance when dealing with subject data • • • Are cloud-based communication and collaboration systems using SSL encryption? Is data stored on cloud-servers encrypted? What is service’s policy regarding 3rd party access • • • Advertisers Investigative inquiry vs. subpoena vs. warrants? Electronic Communication Privacy Act (ECPA) 10/12/2012 Virginia IRB Consortium Conference 24 Data Ownership & Stewardship • Who owns, and who controls (meta)data in the cloud? • • • • Are you granting the cloud provider any license to use your data or activities (for advertising, data mining, etc)? Can you ensure data remains in the U.S.? Can data be destroyed on demand, including backups? Can you ensure cloud provider won’t hold your data “hostage”, or disappear? 10/12/2012 Virginia IRB Consortium Conference 25 Research Integrity & Authorship • Should researchers rely on cloud-based data processing and analysis? • • • Can you trust (or audit?) external/collaborative processing platforms Ethical to use Mechanical Turk, or otherwise outsource mundane tasks to unknown persons for nominal wages? Authorship claims? 10/12/2012 Virginia IRB Consortium Conference 26 Conceptual Gaps & Policy Vacuums • Emergence of new technologies often lead to conceptual gaps in how we think about ethical problems, and reveal policy vacuums for how we should best address them • • Computer technology transforms “many of our human activities and social institutions,” and will “leave us with policy and conceptual vacuums about how to use computer technology” “Often, either no policies for conduct in these situations exist or existing policies seem inadequate. • 10/12/2012 Jim Moor, “What is Computer Ethics?” Virginia IRB Consortium Conference 27 Conceptual Gaps & Policy Vacuums • The fluidity and complexity of cloud-based tools and platforms creates potential conceptual gaps • • Are these ethical dimensions merely the same as before, or fundamentally different due to the cloud? Does the nature of anonymity, privacy, consent, even harm change when dealing with cloud-based research? 10/12/2012 Virginia IRB Consortium Conference 28 Conceptual Gap: Privacy • Presumption that because subjects make information available on a cloud-based service, they don’t have an expectation of privacy Researchers/IRBs might assume everything is always public, and was meant to be • Assumes no harm could come to subjects if data is already “public” • • New ethical problems… Ignores contextual nature of sharing • Fails to recognize the strict dichotomy of public/private doesn’t apply in the 2.0 world • Need to track if ToS/architecture have changed, or if users even understand what is available to researchers • Nissenbaum, H. 2011. “Privacy in Context: Technology, Policy, and the Integrity of Social Life” 10/12/2012 Virginia IRB Consortium Conference 29 Conceptual Gap: Anonymity vs. Identifiability • Presumption that stripping names & other obvious identifiers provides sufficient anonymity when sharing data in the cloud • Assumes only PII allows re-identification • New ethical problems… • • Ignores how anything can potentially identifiable information and become the “missing link” to re-identify an entire dataset “Anonymous” datasets are not achievable and provides false sense of protection Ohm, P. “Broken promises of privacy: Responding to the surprising failure of anonymization.” UCLA Law Review 10/12/2012 Virginia IRB Consortium Conference 30 Conceptual Gap: Consent • Presumption that because something is shared or available without a password, the subject is consenting to it being harvested for research • Assumes no harm can come from use of data already shared with friends or other contextually-bound circles • New ethical problems… • • Must recognize that a user making something public online comes with a set of assumptions/expectations about who can access and how Must recognize how research methods might allow unanticipated access to “restricted” data 10/12/2012 Virginia IRB Consortium Conference 31 Conceptual Gap: Harm • Presumption that “harm” means risk of physical or tangible impact on subject • Researchers often imply “data is already public, so what harm could possibly happen” • New ethical problems • Must move beyond the concept of harm as requiring a tangible consequence • • Protecting from harm is more than protecting from hackers, spammers, identity thieves, etc Consider dignity/autonomy theories of harm • • Must a “wrong” occur for there to be damage to the subject? Do subjects deserve control over the use of their data streams? 10/12/2012 Virginia IRB Consortium Conference 32 Conceptual Gap: Human Subjects • Researchers (esp. CompSci) often interact only with datasets, objects, or avatars, thus feel a conceptual distance from an actual human • Often don’t consider what they do as “human subject” research • New ethical problems • • Must bridge this (artificial) distance between researcher and the actual human subject Also consider other stakeholders within the complex arrangement of information intermediaries Carpenter, K & Dittrich, D. “Bridging the Distance: Removing the Technology Buffer and Seeking Consistent Ethical Analysis in Computer Security Research” 10/12/2012 Virginia IRB Consortium Conference 33 Conceptual Gaps & Policy Vacuums • The fluidity and complexity of cloud-based tools and platforms creates potential conceptual gaps Are these ethical dimensions merely the same as before, or fundamentally different due to the cloud? • Does the nature of anonymity, privacy, consent, even harm change when dealing with cloud-based research? • • Leaving researchers & IRBs with considerable policy vacuums How should researchers deal with using the cloud in their projects? • How should IRBs review them? • • And how can we ensure good research still gets done… 10/12/2012 Virginia IRB Consortium Conference 34 What can Researchers & IRBs do? - broadly • Get educated, find recourses • • Events like today; PRIM&R Utilize disciplinary resources • • • For example: “Ethical decision-making and Internet research: Recommendations from the AoIR Ethics Working Committee” Keep up on research Utilize experts • Look for guidance • Increased attention hopefully will prompt guidance from HHS and related regulatory bodies 10/12/2012 Virginia IRB Consortium Conference 35 What can Researchers & IRBs do? - practically • Read and understand the Terms of Service • Incorporate in risk analysis • Include mention of cloud-based services in consent forms • Level of detail? • Monitor/audit cloud services over life of project • Have terms or practices changed? • All this is new, complex, and difficult… 10/12/2012 Virginia IRB Consortium Conference 36 • Anyone who has studied the history of technology knows that technological change is always a Faustian bargain • Technology giveth and technology taketh away, and not always in equal measure. • A new technology sometimes creates more than it destroys. Sometimes, it destroys more than it creates. But it is never one-sided. • 10/12/2012 Virginia IRB Consortium Conference Neil Postman 37 Research, the Cloud, and the IRB: NEW OPPORTUNITIES :: NEW CHALLENGES Michael Zimmer, PhD Assistant Professor, School of Information Studies Director, Center for Information Policy Research University of Wisconsin-Milwaukee zimmerm@uwm.edu www.michaelzimmer.org